1. On the computer that is hosting your enterprise CA, on the Windows desktop, click Start, point to Programs, point to Administrative Tools, and then click Certification Authority.

2. In the navigation pane, expand the CA name, right-click Certificate Templates, and then click Manage.

3. In the Certificate Templates console, in the results pane, right-click IPSec (Offline request), and then click Duplicate Template.

4. In the Properties of New Template dialog box, on the General tab, in the Template display name text box, type a new name for this template (for example, OperationsManagerCert).

5. In the Request Handling tab, select Allow private key to be exported, and then click CSPs.

6. In the CSP Selection dialog box, select the cryptographic service provider that best suits your business needs, and then click OK.

   Note
   Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider.

7. Click the Extensions tab, and in Extensions included in this template, click Application Policies, and then click Remove.

8. In the Edit Application Policies Extension dialog box, click IP security IKE intermediate, and then click Remove.

9. Click Add; in the Application policies list, hold down the CTRL key to multi-select items from the list; click Client Authentication and Server Authentication; and then click OK.

10. In the Edit Application Policies Extension dialog box, click OK.

11. Click the Security tab, ensure that the user's group has Read and Enroll permissions, and then click OK.

1. Log on to the computer where you want to install a certificate (for example, gateway server or management server).

2. Start Internet Explorer, and connect to the computer hosting Certificate Services (for example, http://<servername>/certsrv).

3. On the Microsoft Certificate Services Welcome page, click Request a certificate.

4. On the Request a Certificate page, click Or, submit an advanced certificate request.

5. On the Advanced Certificate Request page, click Create and submit a request to this CA.

6. On the Advanced Certificate Request page, do the following:

   1. Under Certificate Template, select the name of the template you created (for example, OperationsManagerCert).
      
      
   2. Under Identifying Information For Offline Template, in the Name field, enter a unique name, for example the fully qualified domain name (FQDN) of the computer you are requesting the certificate for. For the rest of the fields, enter the appropriate information.
      
      

      Note
      Event ID 20052 of type error is generated if the FQDN entered into the Name field does not match the computer name.

   3. Under Key Options, click Create a new key set, in the CSP field select the cryptographic service provider that bests suits your business needs, under Key Usage select Both, under Key Size select a key size that bests suits your business needs, select Automatic key container name, ensure that Mark keys as exportable selected, clear Export keys to file, clear Enable strong private key protection, and then click Store certificate in the local computer certificate store.
      
      

      Note
      Windows 2000 Server will work with Microsoft Enhanced Cryptographic Provider 1.0. Windows Server 2003 and Windows XP will work with Microsoft RSA SChannel Cryptographic Provider.

   4. Under Additional Options, under Request Format, select CMC, in the Hash Algorithm list select SHA-1, clear Save request to a file, and then in the Friendly Name field, enter the fully qualified domain name (FQDN) of the computer that you are requesting the certificate for.
      
      
   5. Click Submit.
      
      
   6. If a Potential Scripting Violation dialog box is displayed, click Yes.
      
      
   7. On the Certificate Issued page, click Install this certificate.
      
      
   8. If a Potential Scripting Violation dialog box is displayed, click Yes.
      
      
   9. On the Certificate Installed page, when you see the message that Your new certificate has been successfully installed, close the browser.
      
      

Tasks

Concepts

Other Resources